Solved

Using SAMBA with encrypted passwords

Posted on 1998-11-13
11
304 Views
Last Modified: 2013-12-27
Hi there,

I installed samba 1.9.18p10 on a Solaris 2.6 system. I want to access it from a WinNT 4.0 wkst with SP3.

To do this (without having to change the way winnt negotiates passwords) I have to enable encrypted passwords in samba.

Now, as I understand there are primarily two ways:
1) Make a special samba-password file
2) Let another server/domain do the authentication

I want to use method (2), so I would like to just set "security=myserver.bla.bla", where myserver is my NT PDC.
Will this work or do I still need a samba password file. The documentation is a bit ambiguous in that respect ....

Excerpt:
"In this mode Samba will try to validate the
username/password by passing it to another SMB server, such
as an NT box. If this fails it will revert
to "security = user", but note that if encrypted passwords
have been negotiated then Samba cannot revert back to
checking the UNIX password file, it must have a valid
smbpasswd file to check users against."
^^^^^^^^^

If this should be a hard question, I am willing to give more points, but I am sure this should be a pretty standard-situation.

Greetings,

         os
0
Comment
Question by:os012897
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 3

Expert Comment

by:arunm
ID: 2007807
Im slightly confused, using this method what would happen if you attached a NT box that did not have sp3 ie. password encryption. Wouldnt it just be easier (but admittedly less secure!) to use the registry hack to stop NT (sp3) using encrpytion?
   
0
 
LVL 3

Author Comment

by:os012897
ID: 2007808
That is what I am doing right now, but I do not want to have it that way forever.

Basically I think as long as you have a user with identical UID on the NT and UNIX box it should work, as even NT before SP3 used password encryption. The difference is just, that pre-SP3 NT had a default fallback mode where it would also send passwords unencrypted if necessary, which after SP3 isn't the case anymore.

Greetings,

       os

0
 
LVL 3

Expert Comment

by:arunm
ID: 2007809
Due to the lack of responses, Im starting to wonder if what your asking will actually work?
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 3

Author Comment

by:os012897
ID: 2007810
Well, maybe I should ask in the WInNT forum .....

os

0
 
LVL 3

Expert Comment

by:arunm
ID: 2007811
Good idea. Why not post a zero question there, indicating the problem and with the url of this thread.

0
 
LVL 3

Expert Comment

by:arunm
ID: 2007812
that should read- zero point question.

0
 
LVL 1

Expert Comment

by:kuehn
ID: 2007813
Have you tried to setup an Wins server? Samba needs wins. Without no login.
0
 
LVL 3

Author Comment

by:os012897
ID: 2007814
Hi kuehn,

I do not have Wins, but I CAN use the shares from the unix-machine. The problem is just, that I cannot use encrypted passwords (SP3) at the moment, see original question.

Greetings,

      os

0
 
LVL 2

Expert Comment

by:cwalter
ID: 2007815
You have 2 things you need to accomplish.

1. Make sure you have something similiar to the following in your smb.conf file:

[global]
   server string = Solaris SMB Server
   local master = no
   preferred master = no
   wins server = wins.domain.com
   domain master = no
   printing = bsd
   printcap name = /etc/printcap
   load printers = yes
   guest account = pcguest
   security = server
   password server = pdc.domain.com    

2. Setup your smbpasswd file with usernames and passwds which match your NT usernames and passwds.
0
 
LVL 3

Author Comment

by:os012897
ID: 2007816
Thanx cwalter,

First off, you will get your points, I would just like to have two things clarified first:

1) I am NOT using wins, is that a problem?
2) What is the smbpasswd good for? Can't I go without one?


Greetings,

          os

0
 
LVL 2

Accepted Solution

by:
cwalter earned 50 total points
ID: 2007817
You don't really need WINS, it is nice to have running, if nothing else your Unix machine could do it. If you don't have WINS running you need to have the NT name match the IP name. So if your PDC is called pdc in NT then the IP name would be pdc.domain.com.

smppasswd is kinda working as a key. Username to encrypted password and vice versa. This way Unix can match the username to the encrypted password which NT expects.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ovirt 3.6 guest VM support oracle solaris 4 81
unix scripting question 1 104
change HISTFILE for root user on AIX 3 86
Linux "time" command output redirection 16 176
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question